• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Password warning while updating to Obsidian 18.0.21

Denis Gomes Franco

Regular Pleskian
Hey, I think I may have found a small bug.

While updating my servers to 18.0.21, one of them showed this message beforehand:

WARNING: There are 6 accounts with passwords encrypted using a deprecated algorithm. Please refer to Plesk upgrade warning: There are accounts with passwords encrypted using a deprecated algorithm for the instructions about how to change the password type to plain.

I followed the instructions in the article and tracked down these objects (database users). I fixed the issue by retrieving the current password from wp-config.php (these are all Wordpress sites) and applying the same password to the users. That did the trick.

Then I noticed... these sites were migrated from Cpanel using the migration tool. So I believe the bug is that the migration routine is recreating the database users from the old server with the same password (so as to not break the website) but using a deprecated algorithm.

So my suggestion is to review the migration code so as to create new database users using the new password algorithm.
 
What you're asking is practically impossible. The password encryption can't be reversed, therefore the clear text passwords can't be easily recreated. And without the clear text passwords, the automated transfer mechanism has no way of encrypting the passwords using a newer algorithm.

Keep in mind that you were able to manually get the clear text passwords only because you had access to the site code and knew where to look. First, the code might not always be available, and second, an automated transfer mechanism can't read passwords as easily as a human can, because they are not always written in the same place or in the same form.

I'd advise anyone migrating the sites from other control panels and dealing with the deprecated algorithms, to deal with it right away. Recreate the passwords or even reset them if needed be, don't wait for it to become an issue later on.
 
In this case, maybe some warning somewhere during the transfer would be nice. Or was it so hidden that I didn't see it.

In any case I'm glad it showed up during the upgrade procedure so it could be dealt right away.
 
Back
Top